Sign up for our weekly security newsletter

Neglect of Security Policies Threatens Organization’s Data

An alarming number of IT professionals too often break security policies or neglect them due to ignorance of their merit, a survey by the Ponemon Institute revealed.

The survey, based on opinions from about 890 IT professionals, was held after the data loss from the UK's Her Majesty's Revenue and Customs (HMRC) records of 25 Million people. The findings showed that there is more than just cutting on costs or the ordinary workers' poor comprehension of security rules and policies that put company data at risk.

Sources said that the loss from breach raised total cost to a median $197 per record that was higher by 8% from 2006 and by 43% from 2005. The median cost due to a breach estimated at $6.3 Million. Other costs such as loss from associated business went up by 30% and accounted for a mean of $128 per compromised record.

During the survey, 80% of respondents said that they were not sure if shutting down network firewalls meant a breach of policy. This might explain the cases of 17% of respondents who admitted turning off their firewall systems.

Chairman Larry Ponemon of the think tank for privacy in the US, said that the basic message from the study is that concerned people are either not reading IT security policies, or not understanding them, or not following them. ComputerWorldUK published this on December 7, 2007.

The Institute's report reminds about the information security gaps that, according to analysts, are often found inside corporations. Albeit organizations down the years have focused on protecting networks from external threats, fewer have concentrated on malicious or inadvertent data slippages from inside. That perhaps explains why although a lot is discussed about external hackers, still security managers find threats from internal compromises more worrying.

Further in the survey, over 50% of participants said that they copied confidential data from company systems into USB memory devices although 87% knew that policies of the company prohibited such an act.

The survey findings also revealed that 64% of organizations have never prepared a detail list of sensitive data relating to consumers and another 64% haven't inventoried data on employees.